Google Professional-Cloud-Network-Engineer Exam With Confidence Using Practice Dumps

To block traffic based on BGP ASN, you need to use Cloud Armor network edge security policies. Backend security policies protect backend services (like those behind an external HTTP(S) Load Balancer), but for traffic directly to Compute Engine instances with public IPs, you need a network edge security policy. Firewall policies operate at the VPC level and do not have the capability to filter based on BGP ASN. The —network-src-asns parameter is specifically used with Cloud Armor network edge security policies to filter traffic based on the source ASN.

Exact Extract:

"Cloud Armor network edge security policies can protect external IP addresses of virtual machine (VM) instances and load balancers. They support rules that allow or deny traffic based on various criteria, including source autonomous system numbers (ASNs) using the --network-src-asns parameter."

"Network edge security policies are designed for traffic destined for external IP addresses of Google Cloud resources that are not behind an external HTTP(S) load balancer, such as Compute Engine instances with public IP addresses."Reference: Google Cloud Armor Documentation - Network edge security policies overview

Creating custom learned routes at the hub’s Cloud Router is required for advertising VPC spokes’ subnets to the on-premises environment. This centralizes route configuration and ensures that all spoke subnet routes are propagated to the hybrid network.